Welcome to Splunk Answers, a Q&A forum for users to find answers to questions about deploying, managing, and using Splunk products. Contributors of all backgrounds and levels of expertise come here to find solutions to their issues, and to help other users in the Splunk community with their own questions.

This quick tutorial will help you get started with key features to help you find the answers you need. You will receive 10 karma points upon successful completion!

Yes, but... shouldn't URL Toolbox be smart enough to know that when using the Mozilla list, both an fqdn of foo.company.com.mx, the ut_domain comes out to company.com.mx, and a fqdn of ale.nubehost.mx results in an ut_domain of nubehost.mx?

I used the mozilla list. Looking it over, I saw that the max level of elements in a TLD was four. I had to construct the lookup table in the correct order, so that, for example, FQDNs in com.mx would see that TLD, before the mx TLD. I also noticed that a few TLDs themselves had MX records, and so could conceivably show up in logs, without any other prepended element.

I added a couple rex sed commands to take care of some anomalies I was seeing in rDNS (*.somefqdn.com, and something_other.otherfqdn.com). Since both are illegal as part of a domain name (latter legit only for SRV records, I think), this seemed safe.

Since 2-element TLDs are the most common in logs here, the 1-element, then 3 and then 4, the 'eval dn=' bits in the search are thus ordered.

If there is no match found in the lookup table, the search preserves the original FQDN. I may change this later for my own purposes here, ymmv.

The bits in the middle are what do the work, the rest is wrapper to illustrate an example search.

Follow this Question

We use our own and third-party cookies to provide you with a great online experience. We also use these cookies to improve our products and services, support our marketing campaigns, and advertise to you on our website and other websites. Some cookies may continue to collect information after you have left our website. Learn more (including how to update your settings) here. Closing this box indicates that you accept our Cookie Policy.